Securely Encrypt Removable Media with Ubuntu

The other day my Dad mentioned that “any true geek always carries a USB drive with him”. I proved my geek-hood by producing the 2G titanium thumb drive from around my neck. I then did him one further by telling him that the drive was encrypted with AES 256 bit encryption. I don’t know whether or not he was impressed, but I sure proved that I am a true geek. It was this experience that prompted me to share my instructions on how to securely encrypt any removable drive.

Following the steps outlined in this tutorial will wipe all data from the device / partition that you present to the encryption utility. You cannot encrypt an existing system using this method and retain the data. Please ensure that you have backups of your data, or that your data is otherwise expendable.

Step 1:

The first step in this tutorial is installing the cryptsetup utility. This tool is part of the cryptsetup package, which is available in the default repositories. You can search for this using your favorite package management utility or install from the terminal using the command:

sudo aptitude install cryptsetup

Step 2:

Once you have the required utility installed, we’ll need to prepare the device for use. This step will alter the partition table on the device, potentially causing loss of data. Again, refer to the warning above.

Identify the Device

We need to know the /dev/ entry that the device is assigned in order to successfully partition and encrypt it. There are two methods outlined below which can aid you in determining the device name. In many cases the device may be listed as /dev/sdb1, /dev/sdc1, etc.

The first method of identifying the device is using the fdisk utility. Simply listing all available partitions may help you determine the device. Hint: you can use the size of the device to help determine its device entry if needed.

In this example I have determined that my 1G USB drive is detected as /dev/sdb1. This will be the device entry that I will use moving forward.

A second method that you can use to determine the device is the dmesg utility. The dmesg utility outputs kernel-level messages to the console. One little “trick” is to unplug and replug your removable disk, and then run dmesg. You should see output similar to: